Hi,
After reading the Aims section at
http://www.kerberos.org/software/tutorial.html, it states the users password
must never travel over the network. Take for example using LDAP as the back
end for the principals. For a security review, I need to understand the path
of the clear text password:
user runs kinit - this is the only time the password is entered in clear text?
kinit uses the string2key function to create a hashed encrypted key that
replaces the password?
The hashed encrypted key is sent to the kdc and the kdc uses this hashed
encrypted key to check the original password is correct in LDAP?
Hopefully I'm being clear what I am asking, but basically this question will
come up: will the clear text password ever be sent to the LDAP back end and
possibly cached and therefore compromised.
Thanks for any assistance with this,
Kevin
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
